创建private cluster
EKS部署在私有子网需要考虑的VPC Endpoint
要提前设置的vpc endpoint:
| Service | Endpoint |
|---|---|
| Amazon EC2 | com.amazonaws.region-code.ec2 |
| Amazon Elastic Container Registry (for pulling container images) | com.amazonaws.region-code.ecr.api, com.amazonaws.region-code.ecr.dkr, and com.amazonaws.region-code.s3 |
| Application Load Balancers and Network Load Balancers | com.amazonaws.region-code.elasticloadbalancing |
| EC2 autoscalng | com.amazonaws.region.autoscaling |
| Amazon CloudWatch Logs | com.amazonaws.region-code.logs |
| AWS Security Token Service (required when using IAM roles for service accounts) | com.amazonaws.region-code.sts |
参考: https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html
创建Private Subnet Cluster
使用CloudFormation部署VPC + Private Subnet + VPC Endpoint: https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-06-10/amazon-eks-fully-private-vpc.yaml
部署完成后,从CloudFormation的输出找到subnet的id:
将下面文件保存为private-cluster.yaml, subnet id作相应替换:
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: prod
region: us-east-1
managedNodeGroups:
- name: ng-1
instanceType: m5.xlarge
desiredCapacity: 2
privateNetworking: true
vpc:
subnets:
private:
us-east-1a:
id: "subnet-xxxx"
us-east-1b:
id: "subnet-xxxx"
us-east-1c:
id: "subnet-xxxx"
clusterEndpoints:
publicAccess: true
privateAccess: true
创建集群:
eksctl create cluster -f private-cluster.yaml
-
由于 clusterEndpoints中 privateAccess 和publicAccess都设置为 true, 所以在外网也可以执行kubectl 来访问集群。
-
由于VPC下没有到公网的路由,所以如果镜像在公网,则会创建失败:
使用ECR中的镜像创建pod:
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat
labels:
app: tomcat
spec:
replicas: 1
selector:
matchLabels:
app: tomcat
template:
metadata:
labels:
app: tomcat
spec:
containers:
- name: tomcat
image: 145197526627.dkr.ecr.us-east-1.amazonaws.com/java-app
imagePullPolicy: Always
env:
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
ports:
- containerPort: 80
protocol: TCP
集群通过ECR的endpoint,拉取到镜像并部署成功:
